Use common code within manila.policy module
Rewrote 'init' and 'reset' functions for using same functionality from common code of policy enforcer. Changed path to test policy file, because policy enforcer uses method of oslo.config 'find_file', that was not used before, and does not know about test policy file. Partially-implements blueprint use-common-code Change-Id: I26ed170d39ed183899ee4420dc04d512cf3172e2
This commit is contained in:
parent
c8112434eb
commit
284936f43b
@ -16,48 +16,27 @@
|
|||||||
"""Policy Engine For Manila"""
|
"""Policy Engine For Manila"""
|
||||||
|
|
||||||
import functools
|
import functools
|
||||||
import os.path
|
|
||||||
|
|
||||||
from oslo.config import cfg
|
|
||||||
|
|
||||||
from manila import exception
|
from manila import exception
|
||||||
from manila.openstack.common import policy
|
from manila.openstack.common import policy
|
||||||
from manila import utils
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
|
||||||
|
|
||||||
_ENFORCER = None
|
_ENFORCER = None
|
||||||
_POLICY_PATH = None
|
|
||||||
_POLICY_CACHE = {}
|
|
||||||
|
|
||||||
|
|
||||||
def reset():
|
def reset():
|
||||||
global _POLICY_PATH
|
|
||||||
global _POLICY_CACHE
|
|
||||||
global _ENFORCER
|
global _ENFORCER
|
||||||
_POLICY_PATH = None
|
if _ENFORCER:
|
||||||
_POLICY_CACHE = {}
|
_ENFORCER.clear()
|
||||||
_ENFORCER = None
|
_ENFORCER = None
|
||||||
|
|
||||||
|
|
||||||
def init():
|
def init(policy_path=None):
|
||||||
global _POLICY_PATH
|
|
||||||
global _POLICY_CACHE
|
|
||||||
global _ENFORCER
|
global _ENFORCER
|
||||||
if not _POLICY_PATH:
|
|
||||||
_POLICY_PATH = CONF.policy_file
|
|
||||||
if not os.path.exists(_POLICY_PATH):
|
|
||||||
_POLICY_PATH = utils.find_config(_POLICY_PATH)
|
|
||||||
if not _ENFORCER:
|
if not _ENFORCER:
|
||||||
_ENFORCER = policy.Enforcer(policy_file=_POLICY_PATH)
|
_ENFORCER = policy.Enforcer()
|
||||||
utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE, reload_func=_set_rules)
|
if policy_path:
|
||||||
|
_ENFORCER.policy_path = policy_path
|
||||||
|
_ENFORCER.load_rules()
|
||||||
def _set_rules(data):
|
|
||||||
global _ENFORCER
|
|
||||||
default_rule = CONF.policy_default_rule
|
|
||||||
_ENFORCER.set_rules(policy.Rules.load_json(
|
|
||||||
data, default_rule))
|
|
||||||
|
|
||||||
|
|
||||||
def enforce(context, action, target, do_raise=True):
|
def enforce(context, action, target, do_raise=True):
|
||||||
|
@ -14,9 +14,13 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo.config import cfg
|
import os
|
||||||
|
|
||||||
CONF = cfg.CONF
|
from manila.common import config
|
||||||
|
|
||||||
|
CONF = config.CONF
|
||||||
|
_POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path,
|
||||||
|
'manila/tests/policy.json'))
|
||||||
|
|
||||||
|
|
||||||
def set_defaults(conf):
|
def set_defaults(conf):
|
||||||
@ -24,7 +28,7 @@ def set_defaults(conf):
|
|||||||
conf.set_default('verbose', True)
|
conf.set_default('verbose', True)
|
||||||
conf.set_default('connection', "sqlite://", group='database')
|
conf.set_default('connection', "sqlite://", group='database')
|
||||||
conf.set_default('sqlite_synchronous', False)
|
conf.set_default('sqlite_synchronous', False)
|
||||||
conf.set_default('policy_file', 'manila/tests/policy.json')
|
conf.set_default('policy_file', _POLICY_PATH)
|
||||||
conf.set_default('share_export_ip', '0.0.0.0')
|
conf.set_default('share_export_ip', '0.0.0.0')
|
||||||
conf.set_default('service_instance_user', 'fake_user')
|
conf.set_default('service_instance_user', 'fake_user')
|
||||||
conf.set_default('share_driver',
|
conf.set_default('share_driver',
|
||||||
|
@ -33,6 +33,7 @@ CONF = cfg.CONF
|
|||||||
|
|
||||||
|
|
||||||
class PolicyFileTestCase(test.TestCase):
|
class PolicyFileTestCase(test.TestCase):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(PolicyFileTestCase, self).setUp()
|
super(PolicyFileTestCase, self).setUp()
|
||||||
# since is_admin is defined by policy, create context before reset
|
# since is_admin is defined by policy, create context before reset
|
||||||
@ -40,26 +41,27 @@ class PolicyFileTestCase(test.TestCase):
|
|||||||
policy.reset()
|
policy.reset()
|
||||||
self.target = {}
|
self.target = {}
|
||||||
|
|
||||||
def tearDown(self):
|
|
||||||
super(PolicyFileTestCase, self).tearDown()
|
|
||||||
policy.reset()
|
|
||||||
|
|
||||||
def test_modified_policy_reloads(self):
|
def test_modified_policy_reloads(self):
|
||||||
with utils.tempdir() as tmpdir:
|
with utils.tempdir() as tmpdir:
|
||||||
tmpfilename = os.path.join(tmpdir, 'policy')
|
tmpfilename = os.path.join(tmpdir, 'policy')
|
||||||
self.flags(policy_file=tmpfilename)
|
self.flags(policy_file=tmpfilename)
|
||||||
|
|
||||||
action = "example:test"
|
action = "example:test"
|
||||||
with open(tmpfilename, "w") as policyfile:
|
with open(tmpfilename, "w") as policyfile:
|
||||||
policyfile.write("""{"example:test": []}""")
|
policyfile.write("""{"example:test": []}""")
|
||||||
|
policy.init(tmpfilename)
|
||||||
policy.enforce(self.context, action, self.target)
|
policy.enforce(self.context, action, self.target)
|
||||||
with open(tmpfilename, "w") as policyfile:
|
with open(tmpfilename, "w") as policyfile:
|
||||||
policyfile.write("""{"example:test": ["false:false"]}""")
|
policyfile.write("""{"example:test": ["false:false"]}""")
|
||||||
# NOTE(vish): reset stored policy cache so we don't have to
|
# NOTE(vish): reset stored policy cache so we don't have to
|
||||||
# sleep(1)
|
# sleep(1)
|
||||||
policy._POLICY_CACHE = {}
|
policy._ENFORCER.load_rules(True)
|
||||||
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
|
self.assertRaises(
|
||||||
self.context, action, self.target)
|
exception.PolicyNotAuthorized,
|
||||||
|
policy.enforce,
|
||||||
|
self.context,
|
||||||
|
action,
|
||||||
|
self.target,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class PolicyTestCase(test.TestCase):
|
class PolicyTestCase(test.TestCase):
|
||||||
|
Loading…
Reference in New Issue
Block a user